NIST CSF: The Seven-Step Cybersecurity Framework Process
Introduction
One would have to be living under a rock to think that cybersecurity isn’t one of the most important considerations in today’s world. In response to the growing need for a cybersecurity framework, President Barack Obama signed Executive Order 13636 in 2014, outlining mandatory standards for government and military (optional for the private sector) created by the National Institute of Standards and Technology (NIST). This would be known as the NIST Cybersecurity Framework (NIST CSF).
NIST CSF provides a seven-step process to establish new cybersecurity programs or improve currently existing programs. This article will detail what the seven-step process is and explore the purpose of this process and what each step recommends, along with tips for success when using this process.
Why is this seven-step process needed?
NIST recommends that organizations implement this process in order to best establish or update cybersecurity programs. Cybersecurity programs, or proposed programs, are compared to the five high-level functions of NIST CSF. These five functions are:
- Identify
- Protect
- Detect
- Respond
- Recover
These five functions are used to distill fundamental cybersecurity risk concepts so that the organization can determine how their cybersecurity program is doing and whether there are areas that need to be worked on. Likewise, these five functions serve as (optional) best practices to follow in order to establish a better cybersecurity program.
The seven-step cybersecurity framework process
NIST recommends following this seven-step process when establishing a cybersecurity program and when reviewing previously existing cybersecurity programs to determine how they measure up. Below is a list of these seven steps, along with a detailed exploration of each step.
The seven steps
- Prioritize and Scope
- Orient
- Create a Current Profile
- Conduct a Risk Assessment
- Create a Target Profile
- Determine, Analyze and Prioritize Gaps
- Implement Action Plan
Step 1: Prioritize and Scope
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/oEuxyL5xFK4/
